Some information is lost when using CyloneDX SBOM as an intermediate in vulnerability scanning #5424

ryukez · 2023-10-22T11:30:59Z

ryukez
Oct 22, 2023

Description

Hi, developers. Thank you always for developing great product!

When we use SBOM as an intermediate for vulnerability scanning, information such as PkgPath, Layer is lost in vulnerability scan report.
Here, using SBOM as an intermediate means:

First, output SBOM for artifact (ex. trivy image python:3.9.18-slim-bullseye --format cyclonedx > sbom.json)
Then, run vulnerability scan for SBOM (ex. trivy sbom sbom.json --format json > vuls.json)

Desired Behavior

We expect original artifact information is saved. For example, in case of python:3.9.18-slim-bullseye, here is the result of direct vulnerability scanning (trivy image python:3.9.18-slim-bullseye --format json > vuls.json):

    {
      "Target": "Python",
      "Class": "lang-pkgs",
      "Type": "python-pkg",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2022-40897",
          "PkgName": "setuptools",
          "PkgPath": "usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA",
          "InstalledVersion": "58.1.0",
          "FixedVersion": "65.5.1",
          "Layer": {
            "Digest": "sha256:de7a1221312a618b08638bf779ae3d529927397cf96df3b1eace8cf941a66959",
            "DiffID": "sha256:1def056a3160854c9395aa76282dd62172ec08c18a5fa03bb7d50a777c15ba99"
          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-40897",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory pip",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
          },
          "Title": "Regular Expression Denial of Service (ReDoS) in package_index.py",
          "Description": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-1333"
          ],
          "CVSS": {
            "bitnami": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 5.9
            },
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            },
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 5.9
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 5.9
            }
          },
          "References": [
            "https://access.redhat.com/errata/RHSA-2023:0952",
            "https://access.redhat.com/security/cve/CVE-2022-40897",
            "https://bugzilla.redhat.com/2158559",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2158559",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897",
            "https://errata.almalinux.org/9/ALSA-2023-0952.html",
            "https://errata.rockylinux.org/RLSA-2023:0952",
            "https://github.com/pypa/setuptools/",
            "https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200",
            "https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be",
            "https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1",
            "https://github.com/pypa/setuptools/issues/3659",
            "https://linux.oracle.com/cve/CVE-2022-40897.html",
            "https://linux.oracle.com/errata/ELSA-2023-12348.html",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-40897",
            "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/",
            "https://pyup.io/vulnerabilities/CVE-2022-40897/52495/",
            "https://security.netapp.com/advisory/ntap-20230214-0001/",
            "https://setuptools.pypa.io/en/latest/",
            "https://ubuntu.com/security/notices/USN-5817-1",
            "https://www.cve.org/CVERecord?id=CVE-2022-40897"
          ],
          "PublishedDate": "2022-12-23T00:15:00Z",
          "LastModifiedDate": "2023-08-08T14:22:00Z"
        }
      ]
    }

Actual Behavior

Information such as PkgPath, Layer is lost. Here is the result of 2-step scan with SBOM intermediate:

    {
      "Target": "Python",
      "Class": "lang-pkgs",
      "Type": "python-pkg",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2022-40897",
          "PkgName": "setuptools",
          "InstalledVersion": "58.1.0",
          "FixedVersion": "65.5.1",
          "Layer": {},
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-40897",
          "Ref": "pkg:pypi/[email protected]?file_path=usr%2Flocal%2Flib%2Fpython3.9%2Fsite-packages%2Fsetuptools-58.1.0.dist-info%2FMETADATA",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory pip",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
          },
          "Title": "Regular Expression Denial of Service (ReDoS) in package_index.py",
          "Description": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-1333"
          ],
          "CVSS": {
            "bitnami": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 5.9
            },
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            },
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 5.9
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 5.9
            }
          },
          "References": [
            "https://access.redhat.com/errata/RHSA-2023:0952",
            "https://access.redhat.com/security/cve/CVE-2022-40897",
            "https://bugzilla.redhat.com/2158559",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2158559",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897",
            "https://errata.almalinux.org/9/ALSA-2023-0952.html",
            "https://errata.rockylinux.org/RLSA-2023:0952",
            "https://github.com/pypa/setuptools/",
            "https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200",
            "https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be",
            "https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1",
            "https://github.com/pypa/setuptools/issues/3659",
            "https://linux.oracle.com/cve/CVE-2022-40897.html",
            "https://linux.oracle.com/errata/ELSA-2023-12348.html",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/",
            "https://lists.fedoraproject.org/archives/list/[email protected]/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-40897",
            "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/",
            "https://pyup.io/vulnerabilities/CVE-2022-40897/52495/",
            "https://security.netapp.com/advisory/ntap-20230214-0001/",
            "https://setuptools.pypa.io/en/latest/",
            "https://ubuntu.com/security/notices/USN-5817-1",
            "https://www.cve.org/CVERecord?id=CVE-2022-40897"
          ],
          "PublishedDate": "2022-12-23T00:15:00Z",
          "LastModifiedDate": "2023-08-08T14:22:00Z"
        }
      ]
    }

Reproduction Steps

1. (direct scan) `trivy image python:3.9.18-slim-bullseye --format json > vuls.json`
2. (2-step scan 1) `trivy image python:3.9.18-slim-bullseye --format cyclonedx > sbom.json`
3. (2-step scan 2) `trivy sbom sbom.json --format json > vuls-sbom.json`
4. compare `vuls.json` and `vuls-sbom.json`

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

1. `trivy image python:3.9.18-slim-bullseye --format json > vuls.json --debug`


2023-10-22T20:27:01.710+0900    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-10-22T20:27:01.720+0900    DEBUG   cache dir:  /Users/ryunosuke/Library/Caches/trivy
2023-10-22T20:27:01.720+0900    DEBUG   DB update was skipped because the local DB is the latest
2023-10-22T20:27:01.720+0900    DEBUG   DB Schema: 2, UpdatedAt: 2023-10-22 06:14:29.147118772 +0000 UTC, NextUpdate: 2023-10-22 12:14:29.147118272 +0000 UTC, DownloadedAt: 2023-10-22 08:47:54.493613 +0000 UTC
2023-10-22T20:27:01.720+0900    INFO    Vulnerability scanning is enabled
2023-10-22T20:27:01.720+0900    DEBUG   Vulnerability type:  [os library]
2023-10-22T20:27:01.720+0900    INFO    Secret scanning is enabled
2023-10-22T20:27:01.720+0900    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-10-22T20:27:01.720+0900    INFO    Please see also https://aquasecurity.github.io/trivy/v0.40/docs/secret/scanning/#recommendation for faster secret detection
2023-10-22T20:27:04.613+0900    DEBUG   No secret config detected: trivy-secret.yaml
2023-10-22T20:27:05.242+0900    DEBUG   Image ID: sha256:268423777e4e256dace829a6418d766a395cef44a0e0af8ff11c01ed6d63e46a
2023-10-22T20:27:05.243+0900    DEBUG   Diff IDs: [sha256:633f5bf471f7595b236a21e62dc60beef321db45916363a02ad5af02d794d497 sha256:82e0c38f9eb95b21a12e14e6163a9c54e13f345134ffa44508579e46db06c6f3 sha256:c43bf62773507d73529aba79ccce9744dc2f9ea4710f4c5d47d47d3b8f0eaab8 sha256:5e713079b827c0bf9150b930f81a07a071d24a55f4d1faf4b6c45ce5cd13980b sha256:1def056a3160854c9395aa76282dd62172ec08c18a5fa03bb7d50a777c15ba99]
2023-10-22T20:27:05.243+0900    DEBUG   Base Layers: [sha256:633f5bf471f7595b236a21e62dc60beef321db45916363a02ad5af02d794d497]
2023-10-22T20:27:05.259+0900    INFO    Detected OS: debian
2023-10-22T20:27:05.259+0900    INFO    Detecting Debian vulnerabilities...
2023-10-22T20:27:05.259+0900    DEBUG   debian: os version: 11
2023-10-22T20:27:05.259+0900    DEBUG   debian: the number of packages: 105
2023-10-22T20:27:05.277+0900    INFO    Number of language-specific files: 1
2023-10-22T20:27:05.277+0900    INFO    Detecting python-pkg vulnerabilities...
2023-10-22T20:27:05.277+0900    DEBUG   Detecting library vulnerabilities, type: python-pkg, path:

trivy image python:3.9.18-slim-bullseye --format cyclonedx > sbom.json --debug

2023-10-22T20:27:50.504+0900    DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-10-22T20:27:50.504+0900    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-10-22T20:27:50.505+0900    INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2023-10-22T20:27:50.513+0900    DEBUG   cache dir:  /Users/ryunosuke/Library/Caches/trivy
2023-10-22T20:27:53.916+0900    DEBUG   Image ID: sha256:268423777e4e256dace829a6418d766a395cef44a0e0af8ff11c01ed6d63e46a
2023-10-22T20:27:53.916+0900    DEBUG   Diff IDs: [sha256:633f5bf471f7595b236a21e62dc60beef321db45916363a02ad5af02d794d497 sha256:82e0c38f9eb95b21a12e14e6163a9c54e13f345134ffa44508579e46db06c6f3 sha256:c43bf62773507d73529aba79ccce9744dc2f9ea4710f4c5d47d47d3b8f0eaab8 sha256:5e713079b827c0bf9150b930f81a07a071d24a55f4d1faf4b6c45ce5cd13980b sha256:1def056a3160854c9395aa76282dd62172ec08c18a5fa03bb7d50a777c15ba99]
2023-10-22T20:27:53.916+0900    DEBUG   Base Layers: [sha256:633f5bf471f7595b236a21e62dc60beef321db45916363a02ad5af02d794d497]

trivy sbom sbom.json --format json > vuls-sbom.json --debug

2023-10-22T20:28:33.605+0900    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-10-22T20:28:33.618+0900    DEBUG   cache dir:  /Users/ryunosuke/Library/Caches/trivy
2023-10-22T20:28:33.623+0900    DEBUG   DB update was skipped because the local DB is the latest
2023-10-22T20:28:33.623+0900    DEBUG   DB Schema: 2, UpdatedAt: 2023-10-22 06:14:29.147118772 +0000 UTC, NextUpdate: 2023-10-22 12:14:29.147118272 +0000 UTC, DownloadedAt: 2023-10-22 08:47:54.493613 +0000 UTC
2023-10-22T20:28:33.623+0900    INFO    Vulnerability scanning is enabled
2023-10-22T20:28:33.623+0900    DEBUG   Vulnerability type:  [os library]
2023-10-22T20:28:33.627+0900    INFO    Detected SBOM format: cyclonedx-json
2023-10-22T20:28:33.630+0900    DEBUG   Unmarshaling CycloneDX JSON...
2023-10-22T20:28:33.646+0900    INFO    Detected OS: debian
2023-10-22T20:28:33.646+0900    INFO    Detecting Debian vulnerabilities...
2023-10-22T20:28:33.646+0900    DEBUG   debian: os version: 11
2023-10-22T20:28:33.646+0900    DEBUG   debian: the number of packages: 105
2023-10-22T20:28:33.670+0900    INFO    Number of language-specific files: 1
2023-10-22T20:28:33.670+0900    INFO    Detecting python-pkg vulnerabilities...
2023-10-22T20:28:33.670+0900    DEBUG   Detecting library vulnerabilities, type: python-pkg, path:



### Operating System

macOS Ventura 13.0

### Version

```bash
0.40.0

Checklist

Run trivy image --reset
Read the troubleshooting

DmitriyLewen · 2023-10-23T04:47:54Z

DmitriyLewen
Oct 23, 2023
Maintainer

Hello @ryukez
Thanks for your report!

You need to update Trivy to see PkgPath:

➜ cat vuls-sbom.json| jq '.Results[].Vulnerabilities[] | select(.VulnerabilityID == "CVE-2022-40897") | .PkgPath'
"usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA"

About layers - i will investigate this issue and write to you.

Regards, Dmitriy

1 reply

ryukez Oct 23, 2023
Author

Thank you for quick response 😄
As your comment, I updated my trivy and confirmed that pkgPath is shown! Sorry for lack of investigation 🙇

About layers - i will investigate this issue and write to you.

It'd be really appreciated, thank you!!

DmitriyLewen · 2023-10-23T06:46:58Z

DmitriyLewen
Oct 23, 2023
Maintainer

I created #5430 for layer issue.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Some information is lost when using CyloneDX SBOM as an intermediate in vulnerability scanning #5424

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Some information is lost when using CyloneDX SBOM as an intermediate in vulnerability scanning #5424

ryukez Oct 22, 2023

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Checklist

Replies: 2 comments · 1 reply

DmitriyLewen Oct 23, 2023 Maintainer

ryukez Oct 23, 2023 Author

DmitriyLewen Oct 23, 2023 Maintainer

ryukez
Oct 22, 2023

Replies: 2 comments 1 reply

DmitriyLewen
Oct 23, 2023
Maintainer

ryukez Oct 23, 2023
Author

DmitriyLewen
Oct 23, 2023
Maintainer